Port definitions in a policy module
Dominick Grift
dominick.grift at gmail.com
Tue Dec 3 22:17:50 UTC 2013
On Tue, 2013-12-03 at 13:45 -0800, Jeff Sheltren wrote:
>
> I came across some post from 2007 claiming that 'portcon' (which I think
> would be the way to do this) isn't supported in policy modules "(yet)", so
> I'm wondering if something has changed, or if there is any other way to
> implement this without the direct call to the semanage command.
>
> The big picture is this: I would like to be able to leverage
> the httpd_can_network_memcache boolean, allowing httpd (php) to connect to
> multiple pre-defined memcache ports, without having to allow full network
> access from httpd.
Nope currently the only way is semanage port -a (or change the source
policy directly), you can specify port ranges, instead of individual
ports if that applies
The common intermediate language and its compiler would enable one to
specify portcon context specs in individual modules ( i believe ) but
its is still a work in progress.
More information about the selinux
mailing list